Modern computer systems normally require authentication procedures, where users must first prove their identity and credentials before being given access. There are myriad levels and methods of authentication involving widely varying degrees of sophistication and levels of security. Some of the most common basic methods involve text based entry of both a unique user id and secret passcode, password, or passphrase, which can also involve drawing of a pattern on a screen, and various biometrics.
PIN numbers used to authorize credit or debit card financial transactions and are another example of authentication involving a secret code entered by a user. Such PIN numbers are generally used when making routine POS (point of sale) retail store purchases or ATM cash withdrawals.
Common biometrics involve scans of fingerprints, hand geometry, facial features, iris or retinal patterns, pupil size and shape, electro-physiological signals like EEG, ECG, neural pattern scanners, nerve impulse detectors, etc. Authentication procedures may involve various combinations of any of these methods.
In this context, the terms “password”, “passcode” and “PIN” are normally considered equivalent and are used interchangeably, unless qualified by context.
However all authentication methods involve various, often significant tradeoffs between levels of convenience, ease of use and degrees of security. But as the computer, particularly mobile devices proliferate and become integral to modern life, so does the need for more advanced security; but as virtual screens continue to shrink, highly secure long and complex password based authentication becomes ever more difficult to use.
Biometrics like fingerprints are popular, but can be difficult to keep secret and some can be spoofed (faked) relatively easily; a big drawback is that they can't be changed once compromised; for example each person has only 10 fingerprints, 2 eyes, and one set of DNA, etc. Biometrics can also be obtained without consent, for example by physical or legal coercion. Fingerprints, for example, are relatively easy to obtain directly from a person's hand or a surface touched by a person. By contrast passwords can be easily changed at any time.
Touch screen patterns are another common simple authentication method on virtual screens typical of small mobile computer devices. Typically a pointer device like a finger is used to draw lines connecting a series of dots on the screen, tracing a predetermined connective path pattern. A 3 by 3 grid of dots is a common implementation of this concept. But the complexity of the pattern is limited, and the method may be difficult to use accurately on small virtual screens or displays. Another drawback is that frequently used patterns can often become easily visible as smudge marks on virtual screens, a significant security risk.
Picture based passwords are another common authentication method, which require the user to associate a series of gestures with specific locations in a familiar image, creating a unique pattern called a picture PIN (personal identification number). Gestures can include things like the drawing of a line, a shape, or a tap. Microsoft Picture Password, originating in Windows 8, 10, is a good example of a picture based password. Such systems offer reasonably good and convenient security, but remain vulnerable because the images and related location gestures are static, thus can potentially be surreptitiously captured and copied in multiple ways. Another issue is that the system may be tricky to use on small screens, particularly with more complex images.
Passwords are one of the most common of these basic authentication methods, where a user is required to create and memorize a secret, difficult to guess sequence of alphanumeric characters and/or pictographic symbols. Passwords are typically used in combination with a unique user id, both of which are typically entered by a keyboard device, where each discreet password character is individually typed, in sequential order from start to finish, on a standard keyboard, starting from the beginning password character and continuing in precise sequence order until the final character entered.
Passwords are convenient because most computer devices are equipped with physical or virtual keyboards, and typing requires very little processing, and the simple Unicode associated password values are easy to encrypt, transmit and validate across secure network protocols such as Https. Passwords are also generally fairly easy to enter on relatively large standard desktop physical keyboards and on the virtual keyboard displays of larger mobile devices like tablets and very large smartphones.
Passphrases are methods which involve a sequence of memorized words that must be entered by the user.
However, password systems can also have significant drawbacks—the most secure are longer, more complex and by design do not resemble actual words or other known patterns, qualities which make them difficult to guess, but also difficult to remember. For example on a conventional English language QWERTY keyboard there are almost 100 or more different possible ASCII characters to choose from for every single password character to be entered.
More secure passwords are also time consuming and tricky to accurately enter or type without errors, in part because password letters are typically hidden when entered, which can cause the user to lose their reference point. These problems are greatly compounded on very small virtual screens typical of mobile computers like smart watches and smartphones, etc. Password entry can be particularly challenging when using thumb typing methods common on small devices.
On small screen virtual keyboards the normally tiny keys are hard to see and accurately select, make typing slow, tedious, difficult, and highly error prone. There are simply too many keys in too little space (high information density) for efficient use. Virtual keyboards typical of touch screen mobile devices are challenging to use because they generally duplicate the design of larger physical desktop keyboards, not taking into account the different ergonomics of small screen virtual keyboards, particularly common hand held and on the go usage.
Passwords or patterns can be compromised (or spoofed) in relatively simple ways, for example, by key logger type viruses/malware or spyware software hidden on a user's device.
However, authentication involving recognition of a visual pattern or image can be a trivial task for a human, but quite challenging for software and hardware machine methods. CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) for example is an effective method of distinguishing humans from robotic systems; it requires interactive user visual interpretation of obfuscated character imagery, which makes it much less vulnerable to standard key capture spyware type software viruses. CAPTCHA, however works best to verify that a human, and not a robot or machine is operating a computer. However, current CAPTCHA like password recognition methods can be unnecessarily difficult and inconvenient to use, particularly on small screens, since by design they require excessive numbers of challenging recognition steps, normally one for each individual password character or element.